>Loading up a single address with too many UTXOs degrades the entropy of a public-private key pair and makes it easier to brute force a user's private key.
Is there a realistic risk there? If I use an address a million times, how much weaker is it? And how feasible would it be for an attacker to brute for it?
so the risk to the wallet holder is the exact same risk that exists for every single HTTPS connection right now?
Post quantum algorithms have been available. You can do it today. Why not for bitcoin?
In reality, there are very few current real world implementations. This article makes it seem that RSA is under active exploitation. If it is, bitcoin is not the first target IMO
Yes, TLS encryption has similar potential risks, quantum and other elliptic curve vulnerabilities.
Quantum resistant algorithms are under heavy discussion in bitcoin dev mailing list, and have been for awhile. I think the signature sizes for leading algorithms are still too large to be practical within existing block size limits, but of course lots of things would probably have to change in a quantum emergency. Bitcoin devs tend to be extremely conservative with making new changes (in part because it attracts a lot of contrarians) so it's going to take a long time for people to agree on the right architecture for a quantum resistant scheme in bitcoin, but it will happen, BIPs are in the works like BIP-360 which outlines some potential structure for it.
Strictly speaking, loading an address with many UTXOs has no effect on security of the receiving address at all (beyond increasing its public profile).
The security concerns start happening after an address spends a UTXO. Before a P2WPKH (segwit) address is used, only the public key hash is known. In order to spend from it, the full public key needs to be revealed. That's why it's recommended to use single-use addresses, because a quantum computing attack or elliptic curve vulnerability could be used against an address where the attacker knows the public key, but would not work against an address where the pubkey has not yet been revealed.
So, the main security change happens after you spend from an address the first time. Subsequently, there are theoretical vulnerabilities that could occur after an address is spent from many times, but really only if the signer is malicious like dark skippy, or faulty and doesn't properly follow RFC 6979 deterministic signatures, leaking some signature entropy which could be used to crack the private key. The latter has happened with some bad custom wallet implementations, but these attacks are even further in the realm of theoretical, not super realistic, require faulty software/firmware to be implanted into signing devices.